Ignite, Microsoft’s enterprise IT-oriented conference, is going on this week in Chicago. Yesterday’s keynote covered a lot of ground, and for this article I’m going to go over all the enterprise mobility management announcements.
For the first few years, Microsoft Intune had only basic EMM capabilities, but recently it’s taking off. A year ago Microsoft announced the new Enterprise Mobility Suite, which combines Intune, Azure Active Directory Premium, and Azure Rights Management Services. Subsequently, they’ve filled out Intune’s MDM capabilities, added app-level mobile app management, and released Office productivity apps for iOS and Android, finally including Outlook, too. There’s no doubt Microsoft is becoming a major EMM player, and on a recent earnings call they said the Enterprise Mobility Suite now has 13,000 enterprise customers.
What’s new this week? Microsoft frames EMM as having four layers—devices, apps, files, and identity—and the biggest announcements came from the latter two layers.
With their file management announcements, Microsoft is implementing some interesting mobile information management concepts we’ve talked about in the past.
First, there’s a new document tracking feature in Azure RMS. RMS and all sorts of DLP/IRM systems have been around for years, but today Microsoft announced previews of new file sharing and tracking features. Users can control who has access to a file, see if it’s been opened, revoke access, and set other policies, all no matter how the file is shared or where it goes. Again, these aren’t completely new concepts, but the execution and packaging is impressive.
Second, Microsoft is advancing DLP controls by making them aware of separation between work and personal data. Windows 10 will support dual persona-aware policies to control copy/paste, file sharing, which apps can access corporate data, and which apps can use the VPN.
This dual persona awareness will be coming to Intune-managed mobile apps, too. Here’s the interesting part: when most EMM vendors talk about dual persona, they’re usually talking about entire apps that are used for work on a devices that also have personal apps. But in this case, Microsoft demonstrated dual persona awareness within an app—Outlook for iOS was shown enforcing separate policies for work and personal accounts. This is the first time they showed this off, and it will come in a preview soon. This functionality will also be added to other Office apps and be a part of the Intune MAM SDK.
At the identity layer, Microsoft highlighted Azure Active Directory features like Cloud App Discovery, which became generally available yesterday. (It uses an agent on the end point, if you were curious.) SSO for SaaS is important in its own right, but Microsoft also emphasized the security benefits:
Azure AD has policy controls along with machine learning that can look for issues like patterns in failed authentication attempts or impossible travel scenarios and create reports. A new feature going into preview later this month is that Azure AD will have a service that searches for stolen account credentials that are for sale on the “seedier” parts of the internet.
Microsoft also talked about their new Advanced Threat Analytics (based on a recent acquisition) that can detect compromised user credentials within a network. This is in preview now.
Even more upcoming components?
What else is coming up? There are a ton of other components that can be part of a comprehensive EMM offering. I had the opportunity to ask Brad Anderson about Microsoft’s upcoming plans yesterday afternoon.
One thing we talked about was the spread of the Intune partner ecosystem. They don’t want to publish a whole list or store yet, but like other EMM vendors, Microsoft is working with many ISVs that will implement the Intune MAM SDK in their apps.
While we’re on that topic, recently I wrote that Microsoft should open up mobile app management for the Office mobile apps. That’s definitely not in their plans, though. Naturally, it’s a significant unique selling point for Intune that they want to hold on to; but besides that, the tight integration between the apps and the whole Office 365 and Enterprise Mobility Suite platform means that IT wouldn’t get the same functionality by plugging the Office apps into another EMM.
There wasn’t any news about the Intune Company Portal apps yesterday, but Microsoft's vision is that they’ll combine access to web, native mobile, and remote Windows applications all in one place—essentially the same workspace aggregation concept that Citrix, VMware, and others are talking about. We know that this takes time, though.
One mobile device category that Microsoft hasn’t talked about yet for Intune is Mac OS X laptops, but they plan to support the MDM APIs in OS X, too.
Lastly, Azure Remote App got a bit of time in the keynote. After all of our coverage of app re-factoring over the last few months, I can’t help but think that Microsoft should be in the market for one of these products, too.
For the sake of completeness, there are just a few more EMM-related announcements to mention:
- Outlook mobile app support for Intune MAM and conditional access policies is coming later this quarter; the Skype for Business apps will get similar updates in the third quarter.
- Microsoft is previewing Azure AD privileged identity management.
- Intune now supports Windows 10
It’s hard not to be impressed by Microsoft’s EMM efforts. They’re advancing rapidly, and what features they may still lack are getting added in their series of monthly releases. Beyond that, they’re joining the EMM conversation at a high level with their mobile information management and identity and access management products. Still, there are a lot of changes and new products for customers to understand and get comfortable with—it will take at least another year or two until we see how the EMM market really shakes out. In the mean time, though, Microsoft is making all the right moves.